OverSeer Posted April 13, 2009 Posted April 13, 2009 I've been receiving more and more spam in my [at]spamcop.net email account lately... Just last night I received over 114 spam messages. This is nuts. Can anyone explain why these are not getting blocked.
agsteele Posted April 13, 2009 Posted April 13, 2009 I've been receiving more and more spam in my [at]spamcop.net email account lately... Just last night I received over 114 spam messages. This is nuts. Can anyone explain why these are not getting blocked. hi OverSeer! If you think through your question carefully you'll realise that you really haven't provided much information to help anyone offer anything other than generic answers. You'll need to tell us about how you've configured your SpamCop Email account (which block lists you've selected, whether you use grey-listing, what your SpamAssassin levels are). You'll need to tell us how mailo reaches your Sc account (Does it receive Email forwarded from another Email address and if so, is that a so called catch-all Email address). In fact there are so many considerations that nobody can much more than guess at reasons without more information. If you've reported these items then send a few tracking links and that may give some extra clues. FWIW I got my typical half dozen spams to report when I last checked in. But that is a meaningless figure unless you also know how I have configured my account. (I use grey-listing, have spam Assassin set at 4 and have used SpamCop Blacklist, Spamhaus Blacklist, China (the country), Nigeria, Argentina, Brazil, Spamhaus XBL.) Andrew
StevenUnderwood Posted April 13, 2009 Posted April 13, 2009 I've been receiving more and more spam in my [at]spamcop.net email account lately... Just last night I received over 114 spam messages. This is nuts. Can anyone explain why these are not getting blocked. Check the headers of the spam and it will tell you why each message got though... often, a sudden increase means that you recently whitelisted your own address.
AndrewB Posted April 13, 2009 Posted April 13, 2009 I too am seeing a significant number of what should be spam mail get into my inbox. My spam detection rates have plummeted in the past week from approximately 99.999999% (ie, one or two escapees making it to my inbox every week) to dozens that get through daily.. I estimate my current detection rate is between 66% and 75%. I am just using the spamcop.net bl list, and have a SpamAssassin threshold of 5. All of these escapee messages have SpamAssassin scores under 5. Here are some sample reports: http://www.spamcop.net/sc?id=z2787948062zd...3eb290fbf5e15bz http://www.spamcop.net/sc?id=z2787949137z9...9bfda269c47c1fz http://www.spamcop.net/sc?id=z2787949407z4...2cd121d6e42842z http://www.spamcop.net/sc?id=z2787948557z2...ee943f63f1804bz In the last 12 hours, I've had 38 messages get through that should have been caught, out of 53 total messages. This may be the future of spam that Overseer and I are experiencing. And it doesn't look good. AndrewB
DavidT Posted April 13, 2009 Posted April 13, 2009 I am just using the spamcop.net bl list, and have a SpamAssassin threshold of 5. All of these escapee messages have SpamAssassin scores under 5. All of the samples you linked to *should* have been caught in your Held folder, in that they were all blocked due to SCBL listings, and yet you seem to be saying that they made it to your inbox? Please clarify. BTW, I lowered my SA threshhold from 5 to 4 years ago, as 5 seemed to allow too many false negatives. I've been receiving more and more spam in my [at]spamcop.net email account lately... Just last night I received over 114 spam messages. This is nuts. Can anyone explain why these are not getting blocked. I'd agree with those who are suggesting you check your personal whitelist and make sure your address is NOT there. The only other time you posted here (about a year and a half ago), you had your own address whitelisted: http://forum.spamcop.net/forums/index.php?showtopic=8753 We advised you to change that back then, but you never responded to any of us. Also, one of the reasons that you're receiving spam at your SC address is that it's posted publicly in various forums around the web, where spambots can harvest it (just did a Google search and saw about 25 hits). I generally advise people to keep their email address *off* of websites if at all possible. DT
turetzsr Posted April 13, 2009 Posted April 13, 2009 <snip> I am just using the spamcop.net bl list, and have a SpamAssassin threshold of 5. All of these escapee messages have SpamAssassin scores under 5. <snip> All of the samples you linked to *should* have been caught in your Held folder, in that they were all blocked due to SCBL listings, and yet you seem to be saying that they made it to your inbox? Please clarify. <snip> Hi, AndrewB, ...You didn't mention if you checked the idea posted by StevenUnderwood, above. 70692[/snapback]
StevenUnderwood Posted April 13, 2009 Posted April 13, 2009 I'd agree with those who are suggesting you check your personal whitelist and make sure your address is NOT there. The only other time you posted here (about a year and a half ago), you had your own address whitelisted: While possible, there should also be a header that indicates that action was taken that is missing from these messages. I have submitted a problem ticket to try and get someone to look at this.
DavidT Posted April 13, 2009 Posted April 13, 2009 While possible, there should also be a header that indicates that action was taken that is missing from these messages. But wait....are we sure that the sample messages Andrew linked to got whitelisted? I just checked my own mailbox and the whitelisting status header is working just fine. DT
AndrewB Posted April 13, 2009 Posted April 13, 2009 All of the samples you linked to *should* have been caught in your Held folder, in that they were all blocked due to SCBL listings, and yet you seem to be saying that they made it to your inbox? Please clarify. BTW, I lowered my SA threshhold from 5 to 4 years ago, as 5 seemed to allow too many false negatives. Correct - the 4 reports I linked to above are samples of messages that made it to my inbox. I have more, but they are all similar in nature - one to three SpamAssassin rules triggered, scores < 5, and very short messages, some in HTML, with a link to another site. My personal address is NOT on my whitelist or greylist - not an issue for me. ...You didn't mention if you checked the idea posted by StevenUnderwood, above. 70692[/snapback] As you can see in the reports that I offered URLs to, SteveUnderwood's comments don't directly apply to me. The reports do not indicate why it got through, other than the low SpamAssissin score. Unless I'm missing something. AndrewB
turetzsr Posted April 13, 2009 Posted April 13, 2009 <snip> My personal address is NOT on my whitelist or greylist - not an issue for me. AndrewB As you can see in the reports that I offered URLs to, SteveUnderwood's comments don't directly apply to me. <snip> ...Okay, thanks. You can either wait to hear whether StevenUnderwood's trouble report 70698[/snapback] gets a reply or you could ask the SpamCop Deputies yourself by writing to deputies[at]admin.spamcop.net.
OverSeer Posted April 13, 2009 Author Posted April 13, 2009 I've neither whitelisted my own address nor have I changed anything since I've started my service many many years ago... Yet, within the past few weeks, I've been inundated with more and more spam. Also, be that as it may, just because my email address happens to be out there at some sites, shouldn't the purpose of my [at]spamcop.net address be that it BLOCKS spam. It used to work just fine, as I mentioned up until about 2 weeks ago... And the reason I never responded about removing my name as a whitelist was because after I did it, there wasn't an issue so no need to respond. That was some time ago and my maturity in such matters has changed. I tend to leave responses, either positive or negative, now-a-days.
StevenUnderwood Posted April 13, 2009 Posted April 13, 2009 I tend to leave responses, either positive or negative, now-a-days. Thank you as that helps other users know the solution offered works. In a reply today from Trevor: I'll have JT look into this and the SCBL issue you just reported.
DavidT Posted April 13, 2009 Posted April 13, 2009 Correct - the 4 reports I linked to above are samples of messages that made it to my inbox. That doesn't make sense, Andrew, because each of them had a "Disposition" line indicating that the message was indeed blocked due to the source IP address being on the SCBL. Therefore, the next assumption is that in the Filtering Blacklists section of your Spamcop Options, the "SpamCop Blacklist" option is not currently selected. That would explain why those messages are not being held. Please log into the webmail and look into this possibility in the "options." DT
AndrewB Posted April 14, 2009 Posted April 14, 2009 That doesn't make sense, Andrew, because each of them had a "Disposition" line indicating that the message was indeed blocked due to the source IP address being on the SCBL. Therefore, the next assumption is that in the Filtering Blacklists section of your Spamcop Options, the "SpamCop Blacklist" option is not currently selected. That would explain why those messages are not being held. Please log into the webmail and look into this possibility in the "options." Ooof! You are right! Darn. I'm deluged with a lot of spam with the similar subject lines. I'll post some of the ones that got through after a more careful review process. Here are a few that got into my Inbox that I processed today: http://www.spamcop.net/sc?id=z2788952117zc...f98e706c3b1c7fz http://www.spamcop.net/sc?id=z2788925558zb...66ac99f0a51535z http://www.spamcop.net/sc?id=z2788856046z6...18859a131c9605z http://www.spamcop.net/sc?id=z2788818021z1...4c8c5cf27c60c7z http://www.spamcop.net/sc?id=z2788817982z1...aa00f276586b9cz http://www.spamcop.net/sc?id=z2788573740za...bef0941aeae624z http://www.spamcop.net/sc?id=z2788573749z5...d69c0d64bd06e2z http://www.spamcop.net/sc?id=z2788573762z5...b205f803ddea85z Sorry about the wild goose chase. There is now a real goose behind these And I did double check my SpamCop tools settings. Things are as I expect: SpamAssassin at 5, and the SpamCop blacklist is the only one checked. AndrewB
DavidT Posted April 14, 2009 Posted April 14, 2009 Ooof! You are right! What am I right about? That the previous examples were actually from your Held folder, perhaps? The new examples are all ones that were not on the SCBL, and therefore don't have a "Disposition" header line. BTW...I'd recommend using more than just the SCBL in your Blacklists options. DT
AndrewB Posted April 14, 2009 Posted April 14, 2009 What am I right about? That the previous examples were actually from your Held folder, perhaps? The new examples are all ones that were not on the SCBL, and therefore don't have a "Disposition" header line. BTW...I'd recommend using more than just the SCBL in your Blacklists options. Yes, they were from properly held email, but the new examples were not and escaped into my inbox. So what are the recommended blacklists to configure? And why isn't SpamCop's the best? AndrewB
turetzsr Posted April 14, 2009 Posted April 14, 2009 <snip> So what are the recommended blacklists to configure? And why isn't SpamCop's the best? ...There is some guidance in SpamCop Forum thread "How We Use SpamCop, Detailed Examples." ...Which BL is "best" is kind of in the "eye of the beholder" -- whichever works best for you is best. I think DT's suggestion was not meant to imply that SpamCop BL is not "best" but rather that more than one is better than just the one. Right, DT?
DavidT Posted April 14, 2009 Posted April 14, 2009 I think DT's suggestion was not meant to imply that SpamCop BL is not "best" but rather that more than one is better than just the one. Right, DT? I'm often frustrated by what's *not* on the SCBL, in that even though a dozen of us have submitted live samples from a given source, the source isn't listed. Most of the SCBL listings seem to come from spamtrap hits...at least that's how it seems to me. So I'm not saying what's good, bad, or better....they're just different. As for the BLs, I'd suggest selecting ALL of them, unless you have a specific need for communications from one of the countries in the country-specific lists (sorry, Nigeria, but I'm not going to do what it takes to block you). If you do, you can always whitelist specific senders. Using all of the BLs, in addition to a lowered SA threshhold, can keep more spam from reaching your inbox. DT
OverSeer Posted April 14, 2009 Author Posted April 14, 2009 Well, I don't know if something else has changed somewhere but I definitely have less spam since my OP this morning (only one made it into my Inbox)... Regardless I did take the suggestion of selecting all the BLs and lowering my ranking to 5... Thanks for all the help guys!!
AndrewB Posted April 14, 2009 Posted April 14, 2009 As for the BLs, I'd suggest selecting ALL of them, unless you have a specific need for communications from one of the countries in the country-specific lists (sorry, Nigeria, but I'm not going to do what it takes to block you). If you do, you can always whitelist specific senders. Using all of the BLs, in addition to a lowered SA threshhold, can keep more spam from reaching your inbox. Ok, thanks for your advice. I too have enabled all of the blacklists. And after 1.5 hours of inactivity, I have not had any escapee spam mail into my inbox. I'll see how this goes overnight though - that's when the bulk usually appears. Or at least it feels that way when I see my held mail in the morning. Andrew
agsteele Posted April 14, 2009 Posted April 14, 2009 Ok, thanks for your advice. I too have enabled all of the blacklists. And after 1.5 hours of inactivity, I have not had any escapee spam mail into my inbox. Unless you have a great desire to see all the spam in your held folder, I'd recommend grey-listing in addition. Andrew
DavidT Posted April 14, 2009 Posted April 14, 2009 Unless you have a great desire to see all the spam in your held folder, I'd recommend grey-listing in addition. Oh, yes, any of you who have people send directly to your SC address should strongly consider turning on the greylisting. It's done in the "Manage your email forwarding, password, mail report, and greylist settings" option category. I don't use it because I never give out my spamcop address. I have mail forwarded from other addresses, and use the "popgate" function to collect mail from several other sources (although popping from Yahoo has been broken for quite some time). DT
AndrewB Posted April 14, 2009 Posted April 14, 2009 I'll see how this goes overnight though - that's when the bulk usually appears. Or at least it feels that way when I see my held mail in the morning. Although one day's results can't always claim success, I had about 80 spam mails properly held overnight, and one got through. That's acceptable for me at this time. The cbl.abuseat.org blacklist seems to properly detect what SpamAssassin and SpamCop's blacklist miss, based upon my cursory glance of the disposition result in the Held Email webpage. AndrewB
DavidT Posted April 14, 2009 Posted April 14, 2009 Although one day's results can't always claim success, I had about 80 spam mails properly held overnight, and one got through. That's acceptable for me at this time. Very good. Don't forget about the greylisting option, however, because if these are messages being sent directly to your SC email address, greylisting will probably nuke most of the junk before you ever see it. DT
OverSeer Posted April 14, 2009 Author Posted April 14, 2009 I as well only had 2 messages get through the filters to my Inbox. Thanks for the help!
Recommended Posts
Archived
This topic is now archived and is closed to further replies.